SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Server certificate in which the CN is an unexisting FQDN (intranet)

Our customers frequently ask for server certificates in which the CN is a name (in letters) that does not match an officially declared domain. The list of official root domains is available here.

Unofficial domains used for internal purposes might present a risk for 2 different entities can request a certificate for the same CN. Furthermore, a domain, that is not official today, can become official tomorrow. Indeed it can be bought creating new risks of impersonation.

That's the reason why several certification authorities already refuse to issue such certificates. The standards also require their disappearance as of 2015, further information. There is an exception for reserved domains of RFC 2606 (.test .example .invalid .localhost).

We advise not to use internal domains and to modify the ones that are currently being used, see Rename an active directory domain

Enter an IP address in the certificate's CN field?

By definition, a certificate secures / authenticates what is indicated in the CN (Common Name) field. So, if a fully qualified domain name is provided, the server is not dependent from the IP address. In this case, the web site access will always be valid whether you connect by its IPV4 or IPV6 address (even if the server is behind a router with a local network IP address) as long as you access it by its name (in the browser's URL bar).

Of course, you loose this independence when you enter an IP address in your certificate.

Enter a private IP in your certificate:

We advise not to, for the same reasons than for the intranet FQDN (cf here above).

 IP V4 private addresses (RFC 1918):

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0./16.

 IP V6 private addresses ( RFC 5156, RFC4193, RFC4291):

IPv6 prefix

  • fc00::/7: unique local addresses
  • fe80::/10: local addresses of link

Enter a public (official) IP in your certificate:

If you need a certificate for a public IP address, ask your ISP or hosting company if this IP actually attributed to your organization's name (field O of the CSR) (it is sometimes provided by professional subscriptions). It will link the IP address owner and the certificate requester.

Soon, with the new IPv addresses, this correspondence between an IP address and an organization should become more common (via a simple request to your ISP or hosting company), and might even be automated at the subscription.

Get more information about obtaining a server certificate and generating the certificate request: CSR: click here

Obtain a server certificate

Create the certificate request on your server: CSR